Stormshield Network Firewall RELEASE NOTE V1 · Stormshield Network Firewall RELEASE NOTE V1...
Transcript of Stormshield Network Firewall RELEASE NOTE V1 · Stormshield Network Firewall RELEASE NOTE V1...
RELEASE NOTE V1
Page 1 /24 12-11-2014 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Stormshield Network Firewall
RELEASE NOTE V1
Upgrade
Lowest version required: Stormshield Network 1.x and NETASQ 9.1.x
Hardware compatibility:
SN150, SN200, SN300, SN500, SN700, SN900, SN2000, SN3000 and SN6000
NETASQ U30S, U70S, U150S, U250S, U500S, U800S, NG1000-A and NG5000-A
Stormshield Network and NETASQ Virtual Appliances
NOTE
Before any upgrade, you are strongly advised to read the chapter on Explanations on
usage carefully and to back up the configuration.
Highlights
Features covered Level of modification
SSL VPN → Major
IPv6 support → Major
Activity Report – Log → Major
Network interfaces → Major
Intrusion prevention engine → Major
Cloud backup → Minor
“Guest” authentication → Minor
HTTP proxy → Minor
RELEASE NOTE V1
Page 2 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Version
This release note contains the description of the main modifications made to the various
versions of the same major version. You are advised to apply the latest version in order to
benefit from the most recent developments and bug fixes.
Managing the life cycle of versions
According to the terms of the document Product Life Cycle Stormshield Network Security,
the maintenance of firmware versions of the 1.x branch is guaranteed up to 03/07/2015. In
the absence of a more recent version, support will be provided for this version and version
1.0.0.
Precautions before a migration
The NSRPC binary (Windows executable) allows logging on remotely to firewalls and
executing CLI commands sequentially. Since version 1.0, communications have been
authenticated via HMAC-SHA2, so the NSRPC client must be upgraded. This can be done in
the client and partner areas.
Dynamic objects
In versions of Netasq firmware lower than 9.0.6, configurations may contain dynamic
objects with an IP address equal to 0.0.0.0. Such values could cause conflicts during the
ASQ engine’s processing, so you are advised to look for such objects and replace the value
0.0.0.0 with a valid IP address before the migration.
ARP entries
If the configuration of the number of ARP entries had been customized (MaxEntries field in
the file ConfigFiles / arp), it will be reinitialized during a migration operation. This number
will need to be customized again when the version is changed (MaxARPEntries and
MaxNDPEntries fields in the file ConfigFiles / ether).
1.2.0 Features Resolved vulnerabilities Bug fixes
Known issues
1.1.3 Bug fixes
1.1.2 Features
1.1.1 Bug fixes
1.1.0 Features Resolved vulnerabilities
1.0.0 Features
Explanations on usage
RELEASE NOTE V1
Page 3 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
1.2.0 Features
Intrusion prevention Support reference 47619
The intrusion prevention engine recognizes and analyzes both of the new encryption suites
(ChaCha20 and Poly1305) embedded in Google servers (*.google.*) and recent versions of
the Chrome browser.
Two additional types of Microsoft RPC (DCE/RPC) traffic are analyzed by the intrusion
prevention engine (Protocols module). These are the Microsoft Exchange EMSMDB interface
and the Microsoft Exchange Async EMSMDB interface.
System
Firewalls can now log on to external LDAP directories using a posixGroup schema (users are
saved with their user names instead of their DNs [Distinguished Name]). The LDAP directory
can only be chosen via CLI commands for the moment.
On SN6000 high-end models, the LCD screen successively displays a set of information
relating to the system or to certain features when they are enabled: the firewall’s name or
serial number, the firmware version of the main partition, high availability status (HA), RAID
status, and IP address of the IPMI (Intelligent Platform Management Interface).
Web administration interface
In order to strengthen the security of connections to the web administration interface, the
encryption suites based on the hash algorithm SHA1 are no longer authorized. Only the
suites based on SHA2 can now be used. As a result, for some older versions of web
browsers (e.g.: Microsoft Internet Explorer v9), the TLS v1.2 protocol must be enabled.
Dashboard
The statuses of disks and any RAID volumes (high-end SN3000 and SN6000 firewalls) as
well as power supply modules (high-end SN3000 and SN6000 firewalls) are now displayed
in the Hardware window on the Dashboard.
Web objects
Comments can now be added to each element belonging to a customized URL category, or
to a customized category of certificate names.
Application inspections: FTP
An option now allows restricting the use of the FTP protocol to certain user accounts, by
defining a list of authorized users and/or list of blocked users. This option is available from
the FTP users tab in the FTP Protocol module.
RELEASE NOTE V1
Page 4 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
SSL VPN tunnel
The listening port of the SSL VPN tunnel server can now be configured (the default value
suggested remains port TCP/443). Do note that certain reserved ports (e.g.: http_proxy)
cannot be used.
Authentication portal
Users authenticated via the firewall’s portal can now log off from this portal without having
to re-enter their logins and passwords, thanks to the authentication cookie.
Virtual firewalls
The Ethernet network pilot on Stormshield Network virtual firewalls (vmx) has been
updated, thereby allowing them to reach throughputs of up to 10Gb/s.
Stormshield Network Real-Time Monitor
The statuses of internal disks and any RAID volumes (high-end SN3000 and SN6000
firewalls) as well as power supply modules (high-end SN3000 and SN6000 firewalls) are
now displayed in the Hardware module in SN Real-Time Monitor.
1.2.0 Resolved vulnerabilities
SSL and TLS security flaw
Vulnerabilities that can cause Man in the Middle (MITM) attacks or Denials of Service have
been resolved following the upgrade of the OpenSSL cryptographic library to version 1.0.1j.
The list of these vulnerabilities is as follows:
- SRTP Memory Leak (CVE-2014-3513),
- Session Ticket Memory Leak (CVE-2014-3567),
- SSL 3.0 Fallback,
- Build option no-ssl3 is incomplete (CVE-2014-3568).
FreeBSD security flaw
A vulnerability regarding TCP packet treatment (FreeBSD-SA-14:19 – Denial of service in the
treatment of TCP packets) has been resolved by the application of a FreeBSD security fix.
RELEASE NOTE V1
Page 5 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
1.2.0 Bug Fixes
Intrusion prevention
Support reference 47370
The use of the SIP protocol within a NAT rule specifying the destination port would generate
an anomaly in address translation for the Contact field. This malfunction has been fixed.
Support reference 47975
In the contact field of a SIP packet going through the firewall, the presence of commas
within a character string may be incorrectly interpreted by the intrusion prevention engine,
thereby preventing the telephone from being saved on a SIP server. This anomaly has been
fixed.
Support reference 45544
Traffic from WAN optimization tools developed by Riverbed Technology going through a filter
rule defined in firewall mode could prevent the intrusion prevention engine from running
correctly due to the specific TCP syntax used by these appliances. This issue has been
resolved.
System
Support reference 48124 - 48316
When a connection to a firewall is made through a PPTP tunnel which was interrupted then
set up again, certain network packets may be re-sent continuously, potentially causing the
firewall to freeze. This issue has been fixed.
Support reference 46864
Whenever the language configuration file contained an empty or invalid Keyboard field, the
menu System > Configuration may no longer be accessible and cause a disconnection from
the administration interface. This issue has been resolved.
File system Support reference 48267
The firewall could potentially write data on the disk sector bearing the label of a partition.
This partition would then be detected by the system as corrupted and irreparable. This
issue has been resolved with the adoption of the UFS (Unix File System) disk partitioning
system.
Interfaces Support reference 47595
The modem creation wizard selected by default the type of connection “if there is traffic (on
demand)”, which could cause the modem to malfunction. This reaction has been modified,
and the “permanent” connection type is now the predefined choice.
RELEASE NOTE V1
Page 6 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
DHCP Support reference 47494
On a firewall that already has a DHCP address range associated with a gateway, a second
routed DHCP range could not be created. This anomaly has been fixed.
Support reference 47030
In configurations containing a DHCP address range as well as a static route on the same
protected interface, the DHCP server could potentially stop adhering to the address range
for this interface, thereby distributing unadapted IP addresses. This issue has been
resolved.
Support reference 47396
For configurations containing a very large number of DHCP reservations, the configuration
file generated could not be fully read by the DHCP server, which may then fail to restart
correctly. This anomaly has been fixed.
Support reference 46340
When remote clients were connected via PPTP, the DHCP server could no longer be started
as it would then attempt to listen to DHCP requests on the virtual interface dedicated to
these PPTP tunnels. This issue has been resolved.
Authentication Support reference 47667
When an authentication rule contained several methods including authentication via SSO
Agent, the method listed just after it could potentially stop being applied, therefore causing
authentication problems. This issue has been resolved.
Filtering and NAT Support reference 44621
In certain configurations of filter rules (routing on a gateway other than the default gateway,
the use of automatic protocol detection and value of the protocol field forced to “TCP”),
packets sent by the firewall could bear a wrong source IP address (address of the interface
connected to the default gateway). This issue has been resolved.
Policy Based Routing Support reference 45689 - 47089 - 47940 - 48173
When gateways are specified in filter rules (Policy Based Routing), their availability is
systematically tested by a monitoring mechanism (ICMP echo request message). In
configurations that use two (or more) dialup gateways on a single ISP (internet service
provider), the ISP would present the same remote IP address for both appliances, which
was incompatible with the gateway monitoring mechanism. This issue has been resolved.
Some environments do not allow pings to internet access gateways (dialup). During the
implementation of routing to dialup gateways in filter rules (PBR: Policy Based Routing), the
availability monitoring mechanism could wrongly consider these gateways as unreachable.
This detection mechanism has been enhanced in order to fix this issue.
Logs Support reference 47528
Following the migration of a configuration from v9.1.x to v1.1.0 with log file rotation enabled
(menu Configuration > Notifications > Logs – syslog), only the oldest file in each log
category was deleted. As the size of these files could reach 20M in version 1.x (as opposed
to only 5M in version 9.1.x), the partition reserved for the storage of these files could then
RELEASE NOTE V1
Page 7 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
become saturated. The method for calculating the disk space needed for each log category
has been reviewed in order to fix this problem.
SSL Proxy
The use of the SSL proxy on SN150 Firewalls could potentially prevent or alter the display of
HTTPS pages. This issue has been resolved.
Software update via USB key Support reference 47636 - 47637
In the context of an upgrade via USB key, the firewall would reboot before installing the
firmware version downloaded from the key. If the USB key was still plugged in after this
reboot, the firewall would detect it again and attempt to download this upgrade a second
time. In order to allow the USB key to be ejected and therefore prevent the installation of an
identical upgrade, this reboot has been replaced by a shutdown. The installation will
eventually be preceded again by a simple reboot and this issue has been resolved by the
detection of the upgrade version on the key.
Web administration interface
Software updates
When a firmware upgrade was indicated as unavailable in the System update tab in the
Maintenance module, the download link could fail to work. This anomaly has been fixed.
Support reference 47384 - 47630
During a search for firmware upgrades, a message indicating “No information available”
could mistakenly appear. This issue has been resolved.
Routing Support reference 47344
When adding a static route using the IPSec VPN interface, an error message would indicate
that this interface could not be found. This anomaly has been fixed.
LDAP directory Support reference 45863
When the Organization field in the LDAP directory contained square brackets “[ ]”, users in
the directory were not visible in the Users menu on the firewall. This issue has been
resolved.
Filtering and NAT Support reference 46722
Filter rules that use proxies (through a URL inspection for example), and a destination port
combined with a comparison operator (!=, > or <), could wrongly be indicated as invalid.
This anomaly has been fixed.
Support reference 46523
The use of groups containing more than 256 objects in a filter rule would generate warning
messages when the filter policy is loaded, and the storage of these messages could cause
the partition dedicated to logs to fill up. This behavior has been corrected.
RELEASE NOTE V1
Page 8 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
PKI and certificates Support reference 45436
The creation of a certificate for a user with an e-mail address identical to that of a user
already configured on the firewall would cause an error message to appear, displaying the
password of the associated CA. This anomaly has been fixed.
Objects Support reference 47594 - 47714
When an empty group was created on a firewall using only IPv4 addressing, this group
could not be displayed (list of network objects) or selected in the administration interface
(in a filter rule, for example). This anomaly has been fixed.
User Access Control (UAC) Support reference 47364
Following the migration of a configuration containing VPN access privilege rules from v9.x to
v1.1.0, these privileges could no longer be modified. This issue has been resolved.
IPSec VPN Support reference 47563
The wizard for creating an IPSec Mobile – Config mode policy did not allow the use of the
“all” object in the Local network field. This behavior has been modified.
Notifications Support reference 47449
In the settings of the SMTP server that sends e-mail notifications, the DNS domain field
offered the value netasq.com by default. This field is now left empty.
Support reference 47252
The e-mail template used for sending alarm reports has been modified.
SSL VPN tunnel Support reference 47500
During the installation of the Stormshield Network SSL VPN Client software, the associated
Windows service (Stormshield SSL VPN Service) was configured in manual startup mode.
This service is now installed in automatic startup mode.
Support reference 47620
Users with passwords that contain the character “%” were unable to log on through the
Stormshield Network SSL VPN Client. This anomaly has been fixed.
Support reference 47479
The installation of the Stormshield Network SSL VPN Client by a standard user via the
privilege elevation option (“Run as administrator”) failed with the message “the folder does
not exist”. This issue has been resolved.
Support reference 47416
When an error arose during the installation of the Stormshield SSL VPN Client, this
application could then no longer be uninstalled correctly. This issue has been fixed.
RELEASE NOTE V1
Page 9 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
VMWare virtualization Support reference 47281
The virtual disk (vmdk file) included in the disk images on firewalls (ova format) presented
compatibility issues with the latest upgrades of the VMware ESXi virtualization software
(versions 5.0 and 5.1 only). This issue has been resolved and new disk images have been
published in your secure area.
Stormshield Network SSO Agent
During a quick change of an authenticated user’s connection type (e.g.: the end of a wire
connection relayed immediately by a wireless connection), the SN SSO Agent could
consider the user as logged off. This behavior has been corrected.
Stormshield Network Real-Time Monitor Support reference 47504 - 47311
Adding a firewall to an empty address book made this address book inaccessible in SN
Real-Time Monitor, and would cause the following message to display: “The address book
cannot be opened. File does not exist or you don’t have the appropriate access rights”. This
issue has been resolved.
Stormshield Network Administration Suite Support reference 47505
The Stormshield Network Administration Suite installation wizard offered the wrong URL for
product registration. This anomaly has been fixed.
Support reference 47506
The contact e-mail address and link to the Stormshield website have been modified in the
welcome screens on SN Administration Suite applications (SN Real-Time Monitor, SN
Unified Manager and SN Event Reporter).
Stormshield Network Unified Manager Support reference 47508
In the SN Unified Manager welcome menu, the description of the option allowing the user to
quit the application was truncated. This display flaw has been fixed.
Support reference 47511
The option for importing an address book has been deleted from the File menu in the
Stormshield Network Unified Manager application.
RELEASE NOTE V1
Page 10 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Support reference 46840
The pop-up menu that allows adding external tools did not function for appliances other
than firewalls (servers, workstations, etc.). This issue has been resolved.
Known issues
Intrusion prevention Support reference 45406
In the configurations of filter rules combining address translation and inspection in
“firewall” or “IDS” mode, connections using a protocol that requires packets to be rewritten
(FTP for example) can be altered. As such, TCP packets presenting a sequence number
outside the expected TCP window will stop the protocol scan (plugin attached due to the
type of protocol). As the TCP window rewrites packets, interrupting it will therefore distort
the associated NAT.
System
A vulnerability has been detected on the firewall’s FTP client. For it to be exploited, the FTP
client would need to execute FTP commands that redirect to malicious HTTP URLs by leaving
out the output file (“-o” FTP option). E.g.: ftp http://server/path/file.txt.
In its native state, this flaw cannot be exploited as the firewall never uses this FTP client for
file transfers. However, to prevent any risk of the exploitation of this vulnerability, you are
advised against executing scripts that would implement this FTP client on the firewall.
Interfaces
The connection type “if there is traffic (on demand)”, prevented a modem from operating
correctly. Therefore, during the creation of a modem in the wizard, the “permanent”
connection option is now selected by default.
On U30S and SN200 models, several VLANs can now be created within a bridge via the web
administration interface. However, you are strongly advised against performing this
operation which is not supported as it can lead to flaws in the transmission of responses to
ARP requests received on these VLANs to the other interfaces of the bridge.
RELEASE NOTE V1
Page 11 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
1.1.3 Bug fixes
System Support reference 47633 - 47635
The automated procedure for updating a firewall by booting on a USB key is once again
operational.
Network Support reference 47548
The implementation of a VLAN on models in the higher end of the Stormshield Network
firewall range (SN2000, SN3000 and SN6000) did not function properly. This issue has
been fixed.
Intrusion prevention
A problem with the calculation of the TCP sequence number when rewriting data could
potentially cause the firewall to freeze. This anomaly has been fixed.
1.1.2 Features
Support for high-range models
Version 1.1.2 is now compatible with the whole range of Stormshield Network firewalls, in
particular the high-range model SN6000.
1.1.1 Bug fixes
System
If the option Enable log storage had been disabled, it would not have been possible to
reactivate it subsequently. This problem was due to a detection error on the partition
hosting the logs. This anomaly has been fixed.
Network
VLANs attached to a single interface (VLAN endpoint) could no longer be created or
modified from the web administration interface in version 1. Indeed, interfaces could not be
selected, thereby preventing the modification of this parameter for an existing VLAN or the
validation of the creation of a VLAN through the wizard. This issue has been fixed.
RELEASE NOTE V1
Page 12 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
1.1.0 Features
Support for high-range models
Version 1.1.0 now provides support for high-range models of Stormshield Network firewalls
SN2000 and SN3000.
Global Administration
Deployment
For firewalls on which high availability has been enabled, wizards for object deployment
and the filter policy now offer an option that allows synchronizing the members of the
cluster at the end of the deployment.
1.1.0 Resolved vulnerabilities
SSL and TLS security flaw
A vulnerability that could cause a Man-in-the-middle (MITM) attack has been patched with
the upgrade of the OpenSSL cryptographic library in version 1.0.1h. This protects the user
from potential complex attacks during TLS negotiation (CVE-2014-0224).
1.1.0 Bug fixes
Web administration interface
Dashboard Support reference 43992
For firewalls with redundant disks, the status of the RAID volume was not correctly
displayed in the Hardware window in the Dashboard module (“no RAID available” message).
This anomaly has since been fixed, and the properties of each disk belonging to a RAID
cluster are displayed (identification of the disk, occupation of RAID volume and status of
the disk).
RELEASE NOTE V1
Page 13 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
1.0.0 Features
SSL VPN
SSL VPN allows remote users to safely access the company’s internal resources: shared
networks, databases, applications, intranet, etc. All communications between the remote
user and the central site will then be encapsulated and protected through a tunnel
encrypted in SSL. This solution therefore guarantees authentication, confidentiality,
integrity and non-repudiation.
From the client’s point of view, the way the SSL VPN works is similar to how an IPSec VPN
client works in XAUTH mode, but has the advantage of a simplified configuration.
Furthermore, it uses only TCP port 443, and therefore offers easy access from networks that
filter internet access (hotels, public WiFi, 3G connection, etc.).
This operating mode based on Open VPN open source technology (OpenVPN is licensed
under GPL version 2) makes it accessible on any type of terminal (Windows, IOS, Android,
etc.) through the SSL VPN client or an OpenVPN client, which has become a necessity in
BYOD (Bring Your Own Device) environments.
Network traffic that goes through an SSL VPN tunnel also benefits from advanced firewall
features such as authentication, URL filtering and intrusion prevention
IPv6 support
Support for IPv6, offered in this new version, enables firewalls to be integrated into IPv4
and/or IPv6 infrastructures. Networking features (interfaces and routing), filtering, VPN and
Administration are compatible with IPv6. This support is optional and can be enabled in the
Configuration module.
The web administration interface can then be accessed whether in IPv6 or IPv4 as the
firewall’s network interfaces can only have a static IPv6 address or an address as a
complement to an IPv4 address (double stack). Moreover, static routes and gateways can
now be entered in IPv6.
The SLAAC (StateLess Address AutoConfiguration) mechanism has been implemented on
the firewall in order to manage Router Advertisements (RA), which allow the automatic
configuration of hosts on the network by distributing the IPv6 prefixes to use. These
advertisements also allow communicating DNS parameters (RDNSS support - RFC 6106)
and defining the firewall as the default gateway. The firewall’s DHCPv6 relay or server
service may complement this mechanism in order to obtain, for example, the reservation of
addresses in IPv6.
RELEASE NOTE V1
Page 14 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Network objects (hosts, networks and IP address ranges) may be addressed in IPv6, or in a
hybrid of versions. Filter policies can therefore be applied to IPv6 objects and can use
security inspection (customizable inspection profiles). However, application inspection
features (Antivirus, Antispam and URL, SMTP, FTP and SSL filtering) are not available in this
version. Likewise, network address translation (NAT) cannot be performed on IPv6 objects.
NOTE
For interfaces addressed in IPv6 and which belong in a bridge, in Advanced properties,
the option for routing without an IPv6 protocol scan must be unselected, in order to
authorize filtering on traffic.
IPSec tunnels are also compatible with IPv6. Tunnels can therefore be set up between two
IPv6 endpoints and allow IPv4 or IPv6 traffic to go through. Conversely, IPv6 traffic can also
go through IPv4 IPSec tunnels.
Built-in Bird dynamic routing is also compatible with IPv6.
Activity reports
Logs
Activity reports now allow you to monitor and use logs generated by appliances and stored
locally. It is now easier to browse them in views by alarms, connection, web logs, etc.
Filtering criteria available in advanced search mode allow a detailed analysis of logs.
Activity reports
In the Vulnerabilities category, 3 new "Top 10" reports display vulnerabilities with a Client or
Server target, as well as a report on the most vulnerable applications.
Collaborative security
For more collaborative security, based on vulnerability reports generated by Vulnerability
Manager, the level of protection on a machine identified as vulnerable can now be raised in
just a single click. As such, when critical vulnerabilities are detected, you will now be able to
add affected machines to a group created earlier, and to assign a strengthened protection
profile or specific filter rules to it (quarantine zones, restricted access, etc.).
RELEASE NOTE V1
Page 15 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Network
Link aggregation – NG models
For the purposes of performance and the availability of physical links, the new version
introduces the LACP (Link Aggregation Control Protocol) feature. Therefore, the physical
ports of several appliances can be grouped together to be considered a single interface with
the aim of increasing throughput by load balancing or to be used as a relay in the event of a
failure (redundancy). This feature is only available on SN2000, SN3000, SN6000, NG1000
and NG5000 models.
DHCP through IPSec VPN
Local users can now benefit from the automatic configuration of the IP parameters of a
remote DHCP server through an IPSec tunnel. To do this, the parameter “IP address used to
relay DHCP queries” in the DHCP relay options must be entered and the IPSec interface in
the listening interfaces must be selected.
TCP-MD5 support for BIRD
Support for TCP-MD5 authentication in BIRD dynamic routing allows protecting BGP
sessions through the authentication of frames in the TCP header (RFC2385).
Intrusion prevention
“FastPath” mode
For rules with inspection in “firewall” mode, traffic has been optimized and throughput
multiplied. This enhancement has been applied to IPv4 traffic, without NAT and without
scans that open dynamic connections (e.g.: FTP). This mode is recommended if traffic is
dedicated to data backups or replication or for access to a main firewall’s satellite VPN sites
if this firewall already scans traffic.
Multi-context signatures
This version applies a significant enhancement of the intrusion prevention engine. To
counter complex attacks, the IPS engine is now able to correlate signatures in different
contexts. Anti-evasion protection mechanisms have also been strengthened.
MS-RPC scan
In order to secure Microsoft RPC traffic, based on the DCE/RPC standard, this standard will
be fully scanned. A new entry in the Protocol module offers to authorize or reject traffic
using this protocol, described in detail by the Microsoft service (Microsoft Exchange, for
example). A tooltip will show the UUID (Universal Unique Identifier) of each service when
you roll your mouse over its name. A blacklist allows unreferenced services to be blocked
by entering their UUIDs.
RELEASE NOTE V1
Page 16 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
EPMAP scan and NetBios CIFS and NetBios SSN inspections
As the DCE/RPC protocol can be integrated into NetBios CIFS and NetBios SSN protocols, a
new option allows you to inspect it. The options for the EPMAP protocol, which is used to
relay access to services, allow restricting relays. Dynamic connections can also be opened
on EPMAP (portmapper).
MAC addresses
Source MAC addresses are now notified in all connection logs for machines that belong to
the same network.
Authorized Google services and accounts
An option enables the restriction of access to services and accounts provided by Google.
By entering the domains with which your company is registered with Google Apps, as well
as any secondary domains, access to Google services will be restricted to these authorized
domains. This option is available via the HTTP protocol module.
Cloud backup
The “Cloud backup” option is a service range that allows securely performing regular
backups of your firewall’s configuration. These backups can be stored on a local server, a
server hosted by a partner or within the Cloud backup Service infrastructure.
Authentication
Guest method
This mode allows identification without authentication for access to a public WiFi network,
for example. By default, this method enables the display of the conditions of use for
internet access, which can be customized in the Captive portal tab. When these “guest”
users log in, it will be recorded in the logs with the addition of the source MAC addresses.
HTTP proxy
HTTP protocol
An option makes it possible to allow or deny the use of the IP address as a URL, meaning
accessing to a site via the user’s IP address instead of his domain name. Indeed, using the
URL in this way may bypass the URL filter. As this block is applied after the evaluation of the
filter rules, an internal server can still be contacted through its IP address, if its access is
explicitly authorized in the filter policy.
HTTP proxy cache
Thanks to the HTTP proxy cache’s storage of resources in memory, web browsing
performance can be enhanced in low-bandwidth internet links or for access to a limited
RELEASE NOTE V1
Page 17 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
number of websites. Users therefore benefit from optimized response times when visiting
websites, and bandwidth is saved as well.
NOTE
This feature is available only on models that have a hard disk.
It applies to HTTP(S) traffic in the filter policy, as a security inspection option. The tracking of
resources stored in memory and the management of the cache can be viewed in Realtime
Monitor (dashboard).
Explicit HTTP proxy
To enable a policy on a firewall hosted in the cloud to be similar to a policy on a physical
appliance, the listening port on an explicit HTTP proxy can now be configured in the filter
policy (destination port). This may therefore be different from the default port (8080/TCP).
For more information on how to create a policy in this mode, please refer to the Technical
Note “Hybrid mode Cloud Firewall - Appliance”.
Web administration interface
Filtering and NAT
Single window for editing rules
To facilitate the entry of the various parameters of a NAT or filter rule, a single window opens
when you double-click on the rule. This window will then allow you to edit the various
parameters offered in each column.
Statistics on the use of rules
In the active policy, each enabled filter and NAT rule displays a use counter. When you roll
the mouse over the icon, a tooltip will indicate the exact number of times this rule was
executed. The 4 levels of use correspond to the values 0, 0 – 2, 2 – 20 and 20 – 100% of the
total use of the rule that has been used the most. To obtain a new indicator, a button
“Reinitialize rule statistics” will start a new count.
Comments
Comments relating to new rules indicate the date the rule was created and the user who
created it if it was not the “admin” account.
Dashboard: Properties
An entry now informs you of any new firmware upgrade available. The version number
displayed contains a link that allows downloading the upgrade file. To install it, go to the
Maintenance module, in the System update tab.
RELEASE NOTE V1
Page 18 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Real Time Monitor
SSL VPN
The VPN tunnels module now differentiates tunnels set up via IPSec VPN and via SSL VPN in
two separate tabs. The new tab SSL VPN tunnels logs communications between the remote
user and the central site through SSL VPN tunnels. Available information includes the user
name, his original IP and VPN IP addresses, duration, amount of data sent and received and
the port used.
HTTP proxy cache
The storage of resources in memory may improve web browsing performance for low-
bandwidth internet links or for access to a limited number of websites.
Resources stored in memory can be tracked and managed in the Dashboard, in the form of
3 diagrams. Two of them indicate the percentage of data stored in memory according to the
total number of requests and their total weight, and the third presents memory use.
Collaborative security
In the Events, Hosts and Vulnerability management modules, it is now possible to save in
the Network objects database a host displayed in the table and add it to a group. As such,
when critical vulnerabilities are detected, you will now be able to assign a strengthened
protection profile or specific filter rules to these hosts (quarantine zones, restricted access,
etc.).
Diagrams
All the diagrams embedded in the various modules of the interface present a new graph.
RELEASE NOTE V1
Page 19 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Explanations on usage
IPv6 support
In version 1.0, the following are the main features that will not be available for IPv6 traffic:
- IPv6 address translation (NATv6),
- Application inspections (Antivirus, Antispam, HTTP cache, URL filtering, SMTP filtering,
FTP filtering, SSL filtering),
- Use of the explicit proxy,
- DNS cache,
- SSL VPN tunnel portal,
- SSL VPN tunnels,
- Authentication via Radius or Kerberos,
- Vulnerability management.
High availability
In the event the firewall is in high availability and IPv6 has been enabled on it, the MAC
addresses of interfaces in IPv6 (other than those in the HA link) must be defined in
advanced configuration. Indeed, as local IPv6 link addresses are derived from the MAC
address, these addresses are different, causing routing issues during a switch.
Migration
Interfaces
When an original configuration does not contain all the expected Ethernet interfaces due to
a manual deletion in the network configuration file, these interfaces will be recreated in the
target configuration during migration. During this operation, the names of the recreated
interfaces will be their original names (e.g.: Ethernet2), but the administration interface
would not recognize them as valid. This issue may be resolved by modifying the name of
the interface concerned (e.g.: dmz1 instead of Ethernet2).
System
The version 9.2 upgrade of the FreeBSD system contains a vulnerability known for its
inability to support the latest version of NTP (CVE-2013-5211). This vulnerability however
cannot be exploited on the firewall as the configuration is secured by default.
Software update
After adopting the UFS (Unix File System) partitioning system from version 1.2.0, the
upgrade tool on the administration interface did not allow backtracking to a 1.1.x or older
firmware version on a firewall in version 1.2.0. To perform this operation, only a restoration
RELEASE NOTE V1
Page 20 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
of the firewall via USB key is possible. This procedure is described in the Technical Note
“Software restoration by USB key” available in your secure area.
Furthermore, backtracking to a major firmware version older than the current version of the
firewall requires a prior reset of the firewall to factory settings (defaultconfig). Therefore for
example, this operation is necessary for migrating a firewall from a 1.x version to a 9.1.x
version.
Configuration Support reference 31201
The NTP client on firewalls supports synchronization only with servers using version 4 of
the protocol.
Backup restoration
If a configuration has been backed up on a firewall whose system version is lower than the
current version, this configuration cannot therefore be restored. For example, a
configuration backed up in version 1.2.0 cannot be restored if the current version of the
firewall is la 1.1.3.
Dynamic objects
Network objects with automatic (dynamic) DNS resolution, for which the DNS server offers
round-robin load balancing, cause the configuration of modules to be reloaded only if the
current address is no longer present in responses.
Watchdog
SN150 models do not have the hardware watchdog feature.
Activity Reports
Reports are generated based on logs saved by the firewall, which are generated when
connections are shut down. As a result, connections that remain active (e.g. IPSec tunnel
with translation) will not be shown in the statistics displayed by Activity Reports.
Logs generated by the firewall depend on the type of traffic as objects may not be named in
the same way (srcname and dstname). To avoid having multiple representations of the
same object in reports, you are advised to give the object created in the firewall’s database
the same name as the one associated via DNS resolution.
Intrusion prevention
HTML analysis
The rewritten html code is not compatible with all web services (apt-get, Active Update) as
the “Content-Length” header has been deleted.
RELEASE NOTE V1
Page 21 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Instant messaging
NAT is not supported on instant messaging protocols.
Preserve initial routing Support reference 35960
The option that allows preserving the initial routing on an interface is not compatible with
features for which the ASQ engine has to create packets:
- Reinitialization of connections during the detection of a blocking alarm (sending a
RESET packet),
- SYN proxy protection,
- The detection of the protocol by plugins (filter rules without a specified protocol),
- Rewriting of data by certain plugins such as web 2.0, FTP with NAT, SIP with NAT and
SMTP.
NAT Support reference 29286
Status management for the GRE protocol is based on source and destination addresses.
Two connections to the same server at the same time, either with the same client or sharing
a common source address, therefore cannot be differentiated (when "map" is used).
H323 support
The H323 protocol's support for address translation operations is rudimentary, in particular:
it does not support NAT bypass by gatekeepers (announcement of any address other than
the connection's source and destination).
Proxies
SSL proxy Support reference 31308
The SSL (Secure Sockets Layer) protocol, which became Transport Layer Security (TLS) in
2001, is supported in version 3 (1996). Sites that use an older version (which may present
security flaws) or that do not support the start of a negotiation in TLS will be blocked.
Internet Explorer in version 7 or 8 does not enable by default, support for the protocol TLS
1.0. For security reasons, you are advised to enable TLS 1.0 support via an Active Directory
object that defines host configurations (group policy object or GPO).
FTP proxy Support reference 35328
If the option “Keep original source IP address” has been enabled on the FTP proxy, reloading
the filter policy causes disruptions to FTP transfers in progress (both uploads and
downloads).
RELEASE NOTE V1
Page 22 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
Filtering
Outgoing interface
If a filter rule specifies an outgoing interface included in a bridge which is not the first
interface of this bridge, it will not be executed.
Multi-user filtering
It is possible to allow multi-user authentication for a network object (several users
authenticated on the same IP address) by entering the object in the list of Multi-user
Objects (Authentication > Authentication policy).
Filter rules with a user@object source type (except any or unknown@object), and with a
protocol other than HTTP, do not apply to this object category. This behavior is inherent in
the packet treatment mechanism used by the intrusion prevention engine.
The explicit message that warns the administrator of this restriction is: “This rule cannot
identify users who are logged on to a multi-user object”.
URL filtering Support reference 31715
Filtering by authenticated users cannot be carried out within the same URL filter policy.
However, it is possible to apply particular filter rules (application inspection) for each user.
Network
On the SN150 models, configurations containing several VLANs in a bridge are not
supported.
IPsec VPN
PKI
The presence of a certificate revocation list (CRL) is not required. If no CRL has been found
for the certificate authority (CA), the negotiation will be allowed.
DPD (Dead Peer Detection) Support reference 37332
The VPN feature known as DPD (Dead Peer Detection) allows checking whether a peer is still
operational by sending availability test requests.
If a firewall is the responder in an IPSec negotiation in main mode and has set DPD to
“inactive”, this parameter will be forced to “passive” in order to keep up with the peer’s DPD
demands. Indeed, during this IPSec negotiation, DPD is negotiated before identifying the
peer, and therefore before knowing whether DPD requests can be ignored for this peer.
This parameter is not modified when the firewall is the initiator of the negotiation or in
aggressive mode as in this case DPD is negotiated when the peer has already been
identified.
RELEASE NOTE V1
Page 23 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
IPv6 keepalive
For site-to-site IPSec tunnels, the additional keepalive option, which allows artificially
maintaining these tunnels, cannot be used with traffic endpoints with IPv6 addresses. For
traffic endpoints configured in double stack (IPv4 and IPv6 addresses), only IPv4 traffic will
have the use of this feature.
Authentication
SSO Agent
The SSO Agent authentication method is based on authentication events collected by
Windows domain controllers. As these do not indicate the source of the traffic, the
authentication policy cannot be specified with interfaces.
Support reference 47378
The SSO agent does not handle user names containing the following special characters: "
<tab> & ~ | = * < > ! ( ) \ $ % ? ' ` @ <space>. The firewall therefore will not receive
notifications of connections and disconnections relating to these users.
CONNECT method
Multi-user authentication on the same host in cookie mode does not support the CONNECT
method (HTTP). This method is generally used with an explicit proxy for HTTP connections.
For this type of authentication, the use of “transparent” mode is recommended. For further
information, please refer to the online help at documentation.netasq.com, chapter
Authentication.
Conditions of use
The Conditions of use for Internet access on the captive portal may not display correctly in
Internet Explorer v9 with IE Explorer 7 compatibility mode.
Users
The creation of several users with the same login is allowed, but is not compatible with user
authentication.
Spaces in user logins are not supported.
Logging off
An authentication session can only be logged off using the same method used during
authentication. For example, if a user had authenticated using the SSO agent method, he
will not be able to log off through the authentication portal, as the user will need to provide a
cookie in order to log off, which does not exist in this case.
RELEASE NOTE V1
Page 24 /24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014
High availability
Interaction of H.A. in bridge mode and switches
In an environment with a firewall cluster configured in bridge mode, it has been observed
that the traffic switchover took about 10 seconds. This duration is related to the switchover
time of 1 second, to which the time taken for switches to relearn MAC addresses will be
added.
Routing by policy
The connection router ID is not transferred to the passive firewall. As a result, a session
routed by the filter policy may be lost when the cluster switches.
Models
High availability based on a cluster of firewalls in different models is not supported.
Furthermore, a cluster with one firewall using 32-bit firmware and the other using 64-bit
firmware is not allowed.
Vulnerability manager Support reference 28665
The application inventory carried out by Vulnerability Manager is based on the IP address of
the host that initiates traffic in order to index applications.
For hosts that have an IP address shared by several users, for example an HTTP proxy, a TSE
server or even a router that performs dynamic NAT on the source may cause a significant
load on the module. You are therefore advised to place the addresses of these hosts in an
exclusion list (unsupervised elements).
Real Time Monitor Support reference 28665
The CLI command MONITOR FLUSH SA ALL was initially intended for disabling IPSec tunnels
in progress by deleting their security associations (SA). However, since Bird dynamic
routing also uses this type of SA, this command would degrade the Bird configuration and
prevent any connections from being set up. This problem also arises with the “Reinitialize
all tunnels” feature offered in the Real Time Monitor interface.
To resolve this issue, simply restart the Bird service.